Closed venkatamutyala closed 2 months ago
I believe the fix is that GitHub needs to just submit their provider GPG key to opentofu:
OpenTofu Technical Lead here - Just a note @kfcampbell, as you've marked this as up for grabs - the public gpg key needs to be submitted by a member of this organization, for the registry to accept it.
Hmm...our private key is stored as an Actions secret, which is great because the actual content of it isn't stored anywhere else to my knowledge. I unfortunately have no idea where our public key exists as a file. This could be a bit of a hassle.
@kfcampbell you’ve probably added it to the HashiCorp registry, and should be able to get it out of there.
@kfcampbell
If you can't get the your public key from any other source, you can get it via:
curl 'https://registry.terraform.io/v1/providers/integrations/github/6.0.1/download/linux/amd64' | jq --raw-output '.signing_keys | .gpg_public_keys | .[0] | .ascii_armor' > github_registry_key.pub
Note that the /6.0.1/download/linux/amd64
portion of the URL is necessary solely to satisfy the registry's API.
I attached the key for reference. github_registry_key.pub.txt
You can get its fingerprint:
gpg2 --with-fingerprint github_registry_key.pub
... which should return
pub rsa4096/0x38027F80D7FD5FB2 2020-09-03 [SC]
Key fingerprint = F319 28FA CE52 F1A1 3A6C 60EA 3802 7F80 D7FD 5FB2
uid terraform-provider-github (https://www.terraform.io/docs/registry/providers/publishing.html#preparing-and-adding-a-signing-key) <jcudit@github.com>
sub rsa4096/0x52C9A746AB3CA576 2020-09-03 [E]
Key fingerprint = 7A4F 66FD EDDB 55B0 818A B464 52C9 A746 AB3C A576
Key fingerprint = F319 28FA CE52 F1A1 3A6C 60EA 3802 7F80 D7FD 5FB2
matches your build logs:
... since that env var is used by goreleaser to sign: https://github.com/goreleaser/goreleaser-action?tab=readme-ov-file#signing
@kfcampbell ... are you able to use the instructions above to get the key? Once you have that key, the PR to Open Tofu should be very easy: https://github.com/opentofu/registry/issues/new?assignees=&labels=provider-key%2Csubmission&projects=&template=provider_key.yml&title=Provider+Key%3A+
Only you (or someone else from GitHub) can take care of this.
Once you do so, it will allow users of GitHub and OpenTofu to securely use this provider to manage their GitHub resources.
Bumping, trying to migrate our workflows to OpenTofu and cannot pull in the Github provider because of the missing GPG keys.
@kfcampbell Any update on this?
After several months in the "terraform vs. opentofu" limbo and being stuck on terraform 1.5 my organisation now also decided to switch to OpenTofu. It would be great to be able to properly install the GitHub provider.
Just tried escalating via GitHub Support. here is their response:
Just tried escalating via GitHub Support. here is their response:
We had similar experience with support. For those of us using GitHub Enterprise, I suggest reaching out via sales channels to see if we can get traction.
@nickfloyd Can you maybe help with that?
Thanks in advance! Pascal
Just tried escalating via GitHub Support. here is their response:
We had similar experience with support. For those of us using GitHub Enterprise, I suggest reaching out via sales channels to see if we can get traction.
Anyone here spending a decent amount on GitHub enterprise that could help push this forward via their sales rep?
Hi! Sorry it's taken me so long here. I've opened https://github.com/opentofu/registry/issues/675 where I've attempted to follow the instructions from @StephenWithPH here. Please let me know if you'd like me to upload the key in a .pub file or make any other changes!
Thanks for taking care of this. The key is now available in the OpenTofu registry and signature validation works. 🚀
This issue can be closed.
Expected Behavior
I wasn't expecting this notification when using opentofu:
Actual Behavior
I am being warned that signature validation was skipped
Terraform Version
opentofu 1.6.2
Affected Resource(s)
Initialization of the provider
Terraform Configuration Files
No response
Steps to Reproduce
Use opentofu and initalize with the github provider
Debug Output
No response
Panic Output
No response
Code of Conduct